Digital Threat Report 2025–26: AI Asymmetry and Cyber Resilience in India’s BFSI Sector
(Source: Ministry of Textiles · PIB Factsheet & Report: “Mapping of Textile Waste Value Chain in India” (2026))
Relevance: GS 3 (Internal Security, Cybersecurity, Science & Technology) · GS 2 (Governance, Digital India, Regulatory Frameworks, Public–Private Partnerships)
Key Data at a Glance
| Indicator | Data |
|---|---|
| Edition | 2nd Digital Threat Report |
| Predictions Realised | 6 of 7 (2024–25 predictions) |
| Threat Timeline | Years → Weeks |
| Cyberattack Rate | 1.6× global average (India BFSI) |
| SISA Presence | 40+ countries |
| Roadmap | 18-month implementation framework |
Issue in Brief
- MeitY, CERT-In, CSIRT-Fin and SISA jointly released the Digital Threat Report 2025–26 focusing on India’s Banking, Financial Services and Insurance (BFSI) ecosystem.
- The report highlights that AI-powered cyberattacks are evolving much faster than defensive mechanisms, creating an AI Asymmetry between attackers and defenders.
- Six of seven cyber threat predictions made in the previous edition have already materialised, showing that cyber risks are evolving at unprecedented speed.
- The report introduces the “Anatomy of Cyber Failure – Four-Layer Gap Archetype Framework”, shifting cybersecurity from incident response to systemic resilience.
Static Background
India’s Cybersecurity Architecture
CERT-In
- National nodal agency for cybersecurity.
- Established under the Information Technology (Amendment) Act, 2008.
- Functions:
- Incident response
- Threat intelligence
- Early warning
- Cyber advisories
- Vulnerability management
CSIRT-Fin
Sector-specific Computer Security Incident Response Team for:
- Banking
- Insurance
- Securities Market
- Pension Funds
- Financial Institutions
Coordinates sectoral cyber incident response.
MeitY
Responsible for:
- Digital India
- Cybersecurity policy
- IT Act implementation
- National digital infrastructure
SISA
Global cybersecurity company specializing in:
- Digital Payment Security
- Digital Forensics
- Incident Response
- Payment Card Security
Operates across 40+ countries.
Legal & Regulatory Framework
- Information Technology Act, 2000
- IT (Amendment) Act, 2008
- Digital Personal Data Protection Act, 2023
- RBI Cyber Security Framework (2016)
- SEBI Cyber Security and Cyber Resilience Framework (CSCRF)
Why BFSI is Most Vulnerable
India’s BFSI ecosystem has rapidly digitised through:
- UPI
- Internet Banking
- Digital Lending
- Neo Banks
- FinTech
- Insurance Technology
Result:
- Largest digital transaction ecosystem.
- Highest-value cyber target.
According to BCG–DSCI (2026):
- Cyberattacks occur at 1.6 times the global average.
Key Dimensions
Threat Acceleration
The report observes:
- Six of seven previous predictions became reality.
- Threat lifecycle has compressed dramatically:
Years → Months → Weeks
Traditional:
Annual Patch → Audit → Compliance
is no longer adequate.
Modern attacks exploit vulnerabilities almost immediately.
AI Asymmetry
Meaning
AI Asymmetry refers to:
Offensive AI capabilities growing faster than defensive AI systems and regulations.
Earlier:
- Large hacker teams
- Months of preparation
Today:
- Small groups
- AI automation
- Machine-speed attacks
Emerging AI-enabled Threats
- AI-generated phishing emails
- Voice cloning
- Deepfake customer impersonation
- Automated malware generation
- AI-assisted credential theft
- AI-enabled social engineering
- Autonomous attack campaigns
Traditional awareness programmes alone are insufficient.
Anatomy of Cyber Failure
The report proposes the
Four-Layer Gap Archetype Framework
Instead of viewing breaches as isolated incidents, it identifies a chain of systemic weaknesses.
Typical breach progression:
- Human vulnerability
- Process failure
- Technology weakness
- Governance gap
Thus,
Cyber failures emerge from cumulative organisational weaknesses rather than a single technical lapse.
Public–Private Partnership Model
The report showcases collaboration between:
- MeitY
- CERT-In
- CSIRT-Fin
- SISA
Advantages:
- Government regulatory oversight.
- Private sector threat intelligence.
- Real-time incident response.
- Global best practices.
Can be replicated across:
- Power
- Telecom
- Healthcare
- Transport
- Defence
18-Month Cyber Resilience Roadmap
Phase I
Strengthen foundational controls
- Identity management
- Access control
- Endpoint protection
- Patch management
Phase II
Continuous capability building
- Continuous monitoring
- Threat hunting
- Security Operations Centres (SOC)
- Incident response drills
Phase III
Resilient Architecture
- Zero Trust Architecture
- AI-enabled defence
- Cyber resilience
- Business continuity
- Rapid recovery systems
Critical Analysis
Strengths
Predictive Accuracy
- 6 of 7 predictions materialised.
- Strong evidence-based forecasting.
AI Recognised as Present Risk
Rather than treating AI as a future challenge, the report recognises:
- AI-enabled attacks are already operational.
Systemic Security Approach
Focus shifts from:
Counting cyber incidents
to
Identifying structural weaknesses.
Strong PPP Model
Government and private-sector cooperation improves:
- Intelligence sharing
- Incident response
- Cyber preparedness
Structural Challenges
Advisory Nature
Recommendations are not legally binding.
Effective implementation depends upon:
- RBI
- SEBI
- IRDAI
issuing enforceable compliance standards.
Resource Constraints
Smaller banks and NBFCs often lack:
- Skilled manpower
- AI tools
- Security Operations Centres
- Continuous monitoring systems
Regulatory Lag
India’s AI governance framework is still evolving.
Dedicated regulation for:
- Offensive AI
- Adversarial AI
- Autonomous cyberattacks
remains limited.
Supply Chain Risks
Third-party vendors remain a major vulnerability.
Many attacks now originate through:
- Software vendors
- Cloud providers
- Managed service providers
Under-reporting
Institutions hesitate to disclose breaches because of:
- Reputation loss
- Customer confidence
- Regulatory scrutiny
This weakens collective cyber defence.
Way Forward
- RBI, SEBI and IRDAI should institutionalise the Four-Layer Gap Framework within mandatory cybersecurity audits.
- Develop a dedicated National Adversarial AI Security Policy under the IndiaAI Mission.
- Create a shared Security Operations Centre (SOC) for smaller banks and NBFCs.
- Mandate third-party cybersecurity audits and supply-chain risk assessments.
- Introduce safe-harbour provisions encouraging voluntary cyber incident reporting.
- Expand AI-enabled cyber defence capabilities through continuous red-teaming and threat intelligence sharing.
- Strengthen public-private collaboration for national critical infrastructure protection.